Bug 103016

Summary: NULL pointer dereference vulnerability in poppler 0.59.0 GfxState.cc
Product: poppler Reporter: Ziqiang Gu <etovio>
Component: generalAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: medium    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: POC file of the vulnerability

Description Ziqiang Gu 2017-09-28 02:00:59 UTC 
Created attachment 134518 [details]
POC file of the vulnerability

In Poppler 0.59.0, a NULL Pointer Dereference exists in the GfxImageColorMap::getGrayLine() function in GfxState.cc via a crafted PDF document. Attackers may exploit this vulnerability by persuading users to open crafted PDF files.

GDB track is as follow:

gzq@ubuntu:~/fuzz/poppler$ gdb -q /home/gzq/install/poppler-dev/bin/pdftocairo
Reading symbols from /home/gzq/install/poppler-dev/bin/pdftocairo...done.
(gdb) r -q -svg /home/gzq/work/backup/poppler-gfxstat-5933.pdf 
Starting program: /home/gzq/install/poppler-dev/bin/pdftocairo -q -svg /home/gzq/work/backup/poppler-gfxstat-5933.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Bogus memory allocation size

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7325979 in GfxImageColorMap::getGrayLine (this=<optimized out>, in=<optimized out>, out=<optimized out>, length=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/GfxState.cc:5933
5933		*inp = byte_lookup[*inp * nComps + i];
(gdb) bt
#0  0x00007ffff7325979 in GfxImageColorMap::getGrayLine (this=<optimized out>, in=<optimized out>, out=<optimized out>, length=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/GfxState.cc:5933
#1  0x000000000042542b in CairoOutputDev::drawSoftMaskedImage (this=<optimized out>, state=<optimized out>, ref=<optimized out>, str=<optimized out>, width=<optimized out>, height=<optimized out>, colorMap=0x14b, interpolate=<optimized out>, maskStr=<optimized out>, 
    maskWidth=<optimized out>, maskHeight=<optimized out>, maskColorMap=<optimized out>, maskInterpolate=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/CairoOutputDev.cc:2717
#2  0x00007ffff72abd4c in Gfx::doImage (this=<optimized out>, ref=<optimized out>, str=<optimized out>, inlineImg=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:4596
#3  0x00007ffff727444b in Gfx::opXObject (this=0x68fd00, args=<optimized out>, numArgs=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:4173
#4  0x00007ffff7295587 in Gfx::execOp (this=<optimized out>, cmd=<optimized out>, args=<optimized out>, numArgs=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:886
#5  0x00007ffff729391d in Gfx::go (this=<optimized out>, topLevel=<optimized out>) at /home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:750
#6  0x00007ffff7292fb5 in Gfx::display (this=<optimized out>, obj=<optimized out>, topLevel=<error reading variable: access outside bounds of object referenced via synthetic pointer>) at /home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:712
#7  0x00007ffff73a347e in Page::displaySlice (this=<optimized out>, out=<optimized out>, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=<optimized out>, crop=<optimized out>, sliceX=-1, sliceY=<optimized out>, sliceW=<optimized out>, 
    sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>)
    at /home/gzq/work/sourcecode/poppler/poppler/Page.cc:560
#8  0x00007ffff73b0641 in PDFDoc::displayPageSlice (this=0x68bd00, out=0x68cdb0, page=1, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=false, crop=false, printing=<optimized out>, sliceX=<optimized out>, sliceY=<optimized out>, 
    sliceW=<optimized out>, sliceH=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>)
    at /home/gzq/work/sourcecode/poppler/poppler/PDFDoc.cc:517
#9  0x0000000000411e8d in renderPage (doc=0x68bd00, cairoOut=<optimized out>, pg=<optimized out>, page_w=<optimized out>, page_h=<optimized out>, output_w=<optimized out>, output_h=<optimized out>) at /home/gzq/work/sourcecode/poppler/utils/pdftocairo.cc:728
#10 main (argc=<optimized out>, argv=<optimized out>) at /home/gzq/work/sourcecode/poppler/utils/pdftocairo.cc:1268
(gdb)

The POC file has been attached to reproduce this issue.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.